b'(l\n~5lr\n          DEPARTMENT OF HEALTH & HUMAN SERVICES\n\n\n\n                                               JUN 1 7 2009\n                                                                                OFFICE OF INSPECTOR GENERAL\n\n                                                                                 Offce of Audit Service, Region III\n                                                                                 Public Leer Building, Suite 316\n                                                                                 150 S. Independence Mall West\n                                                                                 Philadelphia, PA 19106-3499\n\n\n\n       Report Number: A-03-08-00013\n\n       Mr. James A. Honchar, SPHR\n       Deputy Secretar for Human Resources and Management\n       Governor\'s Office of Administration\n       613 Nort Street\n       Finance Building, Room 517\n       Harsburg, Pennsylvania 17120\n\n\n       Dear Mr. Honchar:\n\n       Enclosed is the u.S. Deparent of Health and Human Services (HHS), Office of Inspector\n       General (OIG), final report entitled "Review of Retiree Drug Subsidy Plan Sponsor\n       Commonwealth of \n   Pennsylvana for Plan Year Ended December 31,2006." We wil forward a\n       copy of ths report to the HHS action official noted on the following page for review and any\n       action deemed necessary.\n\n       The HHS action official wil make final detennnation as to actions taken on all matters reported.\n       We request that you respond to ths official withn 30 days from the date of ths letter. Your\n       response should present any comments or additional information that you believe may have a\n       bearng on the final detennnation.\n\n       Pursuant to the Freedom of Information Act, 5 U.S.c. \xc2\xa7 552, OIG reports generally are made\n       available to the public to the extent that information in the report is not subject to exemptions in\n       the Act. Accordingly, this report wil be posted on the Internet at http://oig.hhs.gov~\n\n       If you have any questions or comments about ths report, please do not hesitate to call me, at\n       (215) 861-4470, or contact Nicole Freda, Audit Manager, at (215) 861-4497 or through e-mail at\n       Nicole.FredaCloig.hhs.gov. Please refer to report number A-03-08-00013 in all correspondence.\n\n                                                      Sincerely,\n\n\n                                                    .\xc3\x81tL ~\n                                                      Stephen Virbitsky\n                                                      Regional Inspector General\n                                                        for Audit Services\n\n\n       Enclosure\n\x0cPage 2 - Mr. James A. Honchar, SPHR\n\nDirect Reply to HHS Action Offcial:\n\nMs. Nanette Foster Reily, Consortium Administrator\nConsortium for Financial Management & Fee for Service Operations\nCenter for Medicare & Medicaid Services\n601 East 12th Street, Room 235\nKansas City, Missouri 64106\n\x0cDepartment of Health and Human Services\n\n             OFFICE OF \n\n        INSPECTOR GENERAL \n\n\n\n\n\n    REVIEW OF RETIREE\n\nDRUG SUBSIDY PLAN SPONSOR \n\n    COMMONWEALTH OF \n\nPENNSYLVANIA FOR PLAN YEAR \n\n ENDED DECEMBER 31, 2006 \n\n\n\n\n\n                    Daniel R. Levinson\n\n                     Inspector General \n\n\n                        June 2009 \n\n                      A-03-08-00013\n\n\x0c                    Office of Inspector General\n                                      http://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services (HHS)\nprograms, as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits, investigations, and\ninspections conducted by the following operating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits examine\nthe performance of HHS programs and/or its grantees and contractors in carrying out their\nrespective responsibilities and are intended to provide independent assessments of HHS\nprograms and operations. These assessments help reduce waste, abuse, and mismanagement and\npromote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS,\nCongress, and the public with timely, useful, and reliable information on significant issues.\nThese evaluations focus on preventing fraud, waste, or abuse and promoting economy,\nefficiency, and effectiveness of departmental programs. To promote impact, OEI reports also\npresent practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of\nfraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources by\nactively coordinating with the Department of Justice and other Federal, State, and local law\nenforcement authorities. The investigative efforts of OI often lead to criminal convictions,\nadministrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG,\nrendering advice and opinions on HHS programs and operations and providing all legal support\nfor OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and administrative fraud and\nabuse cases involving HHS programs, including False Claims Act, program exclusion, and civil\nmonetary penalty cases. In connection with these cases, OCIG also negotiates and monitors\ncorporate integrity agreements. OCIG renders advisory opinions, issues compliance program\nguidance, publishes fraud alerts, and provides other guidance to the health care industry\nconcerning the anti-kickback statute and other OIG enforcement authorities.\n\x0c                             Notices\n\n       THIS REPORT IS AVAILABLE TO THE PUBLIC\n                 at http://oig.hhs.gov\n\nPursuant to the Freedom of Information Act, 5 U.S.C. \' 552, Office of\nInspector General reports generally are made available to the public to\nthe extent that information in the report is not subject to exemptions in\nthe Act.\n\n OFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\nThe designation of financial or management practices as questionable, a\nrecommendation for the disallowance of costs incurred or claimed, and\nany other conclusions and recommendations in this report represent the\nfindings and opinions of OAS. Authorized officials of the HHS operating\ndivisions will make final determination on these matters.\n\x0c                                   EXECUTIVE SUMMARY\n\n\nBACKGROUND\n\nTitle I of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA)\namended Title XVIII of the Social Security Act (the Act) by establishing the Medicare Part D\nprescription drug program. Under Part D, which began January 1, 2006, individuals entitled to\nbenefits under Part A or enrolled in Part B may obtain drug coverage. In addition, Section 101\nof the MMA established the Retiree Drug Subsidy (RDS) program.\n\nThe Centers for Medicare & Medicaid Services (CMS) is responsible for administering the\nprogram. CMS makes subsidy payments to sponsors (employers and unions) of qualified retiree\nprescription drug plans for qualifying retirees covered under the plans. A qualifying covered\nretiree is a Medicare Part D eligible individual who is not enrolled in a Part D plan but who is\ncovered by a qualified retiree prescription drug plan. The subsidy payments for each qualifying\ncovered retiree generally equal 28 percent of allowable retiree drug costs.\n\nMedicare requires that the sponsor of a qualified retiree prescription drug plan submit an RDS\napplication to CMS each year. The application must include identifying information for the plan\nsponsor, an actuarial attestation that the actuarial value of the retiree prescription drug coverage\nunder the plan is at least equal to the actuarial value of the defined standard prescription drug\nbenefit under Medicare Part D, a list of qualifying covered retirees and identifying information,\nand a sponsor agreement signed by an authorized representative of the plan sponsor.\n\nThe Commonwealth of Pennsylvania (Pennsylvania) offers prescription drug coverage to its\nretired employees through its Retired Employees Health Program (REHP). The REHP is\nadministered by the Pennsylvania Employees Benefit Trust Fund (PEBTF). PEBTF uses an\noutside vendor to report prescription drug costs to CMS. For plan year 2006, Pennsylvania\nreceived $29,953,907 in subsidy payments based on reported gross retiree drug costs of\napproximately $154.9 million and allowable retiree costs of approximately $107 million.\n\nOBJECTIVES\n\nOur objectives were to determine whether Pennsylvania (1) met the plan sponsor requirements,\n(2) established controls to ensure that drug costs were correctly reported, and (3) established\nadministrative safeguards over retiree data included in the RDS secure Web site.\n\nSUMMARY OF FINDINGS\n\nPennsylvania\xe2\x80\x99s REHP met the requirements to be considered a qualified retiree prescription drug\nplan and Pennsylvania established controls to ensure that drug subsidy costs were correctly\nreported.\n\n                                                i\n\x0cHowever, Pennsylvania did not establish adequate administrative safeguards over retiree data.\nSpecifically, Pennsylvania did not terminate a former employee\xe2\x80\x99s access to RDS information.\nAs a result, the confidentiality, integrity, and availability of electronic protected health\ninformation could be diminished. Pennsylvania\xe2\x80\x99s lack of administrative safeguards was due to a\nlack of adequate internal controls over protected health information.\n\nRECOMMENDATION\n\nWe recommend that Pennsylvania follow the regulations to ensure that only eligible employees\nhave access to the RDS secure Web site.\n\nCOMMONWEALTH OF PENNSYLVANIA COMMENTS\n\nIn its comments on our draft report, Pennsylvania concurred with our recommendation and\noutlined the steps it had taken to implement our recommendation. Pennsylvania\xe2\x80\x99s comments are\nincluded in their entirety as the Appendix.\n\n\n\n\n                                            ii\n\x0c                                                TABLE OF CONTENTS \n\n                                                                                                                                 Page\n\nINTRODUCTION\n\n        BACKGROUND .............................................................................................................1 \n\n          Retiree Drug Subsidy.................................................................................................1     \n\n          Plan Sponsor Requirements .......................................................................................1 \n\n          Qualifying Covered Retirees......................................................................................1         \n\n          Retiree Drug Costs.....................................................................................................2 \n\n          Retiree Drug Subsidy Secure Web Site .....................................................................2 \n\n          Commonwealth of Pennsylvania ...............................................................................2 \n\n\n        OBJECTIVES, SCOPE, AND METHODOLOGY.........................................................3\n\n          Objectives ..................................................................................................................3 \n\n          Scope..........................................................................................................................3 \n\n          Methodology ..............................................................................................................4        \n\n\nFINDINGS AND RECOMMENDATION...............................................................................5\n\n\n        PLAN SPONSOR REQUIREMENTS ............................................................................5 \n\n          Federal Requirements ................................................................................................5             \n\n          Results of Review of Plan Sponsor Requirements ....................................................6 \n\n\n        SAFEGUARDING RETIREE DATA.............................................................................6 \n\n          Data Security Requirements ......................................................................................6 \n\n          Results of Review of Administrative Safeguards Over Retiree Data ........................6 \n\n          Effect on Electronic Protected Health Information ...................................................6 \n\n\n        RECOMMENDATION ...................................................................................................7 \n\n\n        COMMONWEALTH OF PENNSYLVANIA COMMENTS.........................................7 \n\n\nAPPENDIX\n\n        COMMONWEALTH OF PENNSYLVANIA COMMENTS\n\n\n\n\n                                                               iii\n\x0c                                              INTRODUCTION\n\n\nBACKGROUND\n\nRetiree Drug Subsidy\n\nTitle I of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA)\namended Title XVIII of the Social Security Act (the Act) by establishing the Medicare Part D\nprescription drug program. Under Part D, which began January 1, 2006, individuals entitled to\nbenefits under Part A or enrolled in Part B may obtain drug coverage. In addition, Section 101\nof the MMA established the Retiree Drug Subsidy (RDS) program.\n\nThe Centers for Medicare & Medicaid Services (CMS) is responsible for administering the\nprogram. Under the program, CMS makes subsidy payments to sponsors (employers and\nunions) of qualified retiree prescription drug plans for each qualifying retiree covered under the\nplan. A qualifying covered retiree is a Medicare Part D eligible individual who is not enrolled in\na Part D plan but who is covered by a qualified retiree prescription drug plan.\n\nThe subsidy payments for each qualifying covered retiree generally equal 28 percent of\nallowable retiree drug costs. Allowable retiree drug costs are based on gross retiree costs\nbetween a cost threshold and a cost limit, 1 minus any price concessions such as discounts or\nrebates.\n\nPlan Sponsor Requirements\n\nMedicare requires that the sponsor of a qualified retiree prescription drug plan submit an RDS\napplication to CMS each year. Pursuant to 42 CFR \xc2\xa7 423.884(c), the application must include\nidentifying information for the plan sponsor, an actuarial attestation that the actuarial value of the\nretiree prescription drug coverage under the plan is at least equal to the actuarial value of the\ndefined standard prescription drug benefit under Medicare Part D, a list of qualifying covered\nretirees and identifying information, and a sponsor agreement signed by an authorized\nrepresentative of the plan sponsor.\n\nQualifying Covered Retirees\n\nAs part of the application process, 42 CFR \xc2\xa7 423.884(c) requires that plan sponsors must submit\na list of qualifying covered retirees. The submitted list must include retiree identification\ninformation, as well as the plan sponsor\xe2\x80\x99s coverage effective and termination dates. 2 To process\n\n1\n The cost threshold and cost limit are determined by CMS. For plan year 2006 the individual qualifying retiree cost\nthreshold was $250 and the cost limit was $5,000.\n2\n The plan sponsor\xe2\x80\x99s coverage effective and termination dates represent the dates that the plan sponsor provided the\nretiree with coverage under the qualified retiree prescription drug plan.\n                                                       1\n\n\x0ca retiree file, CMS queries the Medicare Beneficiary Database and determines whether each\nindividual is a qualifying covered retiree eligible for the subsidy based on Medicare entitlement.\nCMS then determines the periods of time during the plan year when the retiree is eligible for the\nsubsidy. CMS includes the subsidy effective and termination dates in the retiree response file\nthat it returns to the plan sponsor.\n\nCMS recommends that plan sponsors submit updated retiree files periodically to reflect (1) new\nretirees not previously reported, (2) updates to previously accepted retiree records, (3) deletions\nfor previously accepted retiree records, and (4) resubmissions. Each time a plan sponsor submits\nan updated retiree file, CMS prepares a response file. CMS also sends plan sponsors a\nnotification file when an event occurs\xe2\x80\x94such as a retiree\xe2\x80\x99s death or enrollment in Medicare Part\nD\xe2\x80\x94that may affect a plan sponsor\xe2\x80\x99s ability to receive the subsidy for a retiree.\n\nRetiree Drug Costs\n\nPlan sponsors, or their vendors, must accumulate retiree drug costs and prepare and submit cost\nreports to CMS before requesting subsidy payments. Plan sponsors can elect to receive interim\nsubsidy payments based on costs reported to date. A plan sponsor receiving interim payments is\nrequired to reconcile interim subsidy payments within 15 months after the end of its plan year.\nCMS will make any necessary adjustments to interim payments for the plan year when the\nreconciliation is completed.\n\nBecause plan sponsors submit retiree costs to CMS on an aggregate (rather than an individual\nretiree) basis, plan sponsors must carefully manage retiree response and notification files to\nensure that costs are accumulated only for qualifying covered retirees during valid subsidy\nperiods.\n\nRetiree Drug Subsidy Secure Web Site\n\nCMS, through its contractor ViPS, Inc., created the RDS secure Web site as a secure portal for\nplan sponsors participating in the subsidy program to submit RDS applications and requests for\npayment. Plan sponsor personnel requiring access to the secure Web site are assigned roles,\nincluding authorized representative, account manager, actuary, and designee. The authorized\nrepresentative or account manager can assign designees various duties including completing\nportions of the RDS application, submitting retiree data, and requesting subsidy payments.\n\nCommonwealth of Pennsylvania\n\nThe Commonwealth of Pennsylvania (Pennsylvania) offers prescription drug coverage to its\nretired employees through its Retired Employees Health Program (REHP). The REHP is\nadministered by the Pennsylvania Employees Benefit Trust Fund (PEBTF). PEBTF administers\n\n\n\n                                               2\n\n\x0chealth care benefits, including prescription drug benefits, to eligible Commonwealth employees,\nretirees, and their dependents. PEBTF uses an outside vendor to report prescription drug costs to\nCMS.\n\nUsing information from the REHP\xe2\x80\x99s eligibility files, PEBTF manages Pennsylvania\xe2\x80\x99s list of the\nRDS-eligible retirees. PEBTF\xe2\x80\x99s outside vendor is responsible for accumulating retiree drug\ncosts and for preparing and submitting the cost reports to CMS on Pennsylvania\xe2\x80\x99s behalf. For\nplan year 2006, Pennsylvania received $29,953,907 in subsidy payments based on 53,104\neligible retirees with reported gross retiree drug costs of approximately $154.9 million and\nallowable retiree costs of approximately $107 million. Pennsylvania reconciled its plan year\n2006 subsidy payments on June 24, 2008.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nOur objectives were to determine whether Pennsylvania (1) met the plan sponsor requirements,\n(2) established controls to ensure that drug costs were correctly reported, and (3) established\nadministrative safeguards over retiree data included in the RDS secure Web site.\n\nScope\n\nWe reviewed Pennsylvania\xe2\x80\x99s plan year 2006 RDS application, retiree files, and final cost report.\nOur review was limited to determining whether Pennsylvania correctly reported drug costs for\nqualifying covered retirees and for applicable periods of RDS eligibility. We also reviewed the\nRDS secure Web site users associated with Pennsylvania\xe2\x80\x99s application for plan year 2006. We\ndid not determine the allowability of the drug costs reported.\n\nOur objectives did not require an understanding or assessment of Pennsylvania\xe2\x80\x99s complete\ninternal control system. We limited our review of internal controls to obtaining an understanding\nof Pennsylvania\xe2\x80\x99s process for monitoring and updating its retiree files and coordinating with its\noutside vendor to ensure that costs claimed for subsidy payments represent costs for qualifying\ncovered retirees.\n\nWe performed our field work at Pennsylvania\xe2\x80\x99s administrative offices in Harrisburg,\nPennsylvania and at their vendor\xe2\x80\x99s offices in Franklin Lakes, New Jersey from June 2008\nthrough January 2009.\n\n\n\n\n                                              3\n\n\x0cMethodology\n\nTo accomplish our objectives, we:\n\n   \xe2\x80\xa2\t reviewed applicable Federal laws and regulations, Medicare program guidance, and the\n      American Academy of Actuaries\xe2\x80\x99 guidance;\n\n   \xe2\x80\xa2\t met with Pennsylvania\xe2\x80\x99s actuary and reviewed his working papers to verify that the\n      actuary had completed and submitted the attestation in accordance with CMS and\n      American Academy of Actuaries\xe2\x80\x99 guidance;\n\n   \xe2\x80\xa2\t reviewed Pennsylvania\xe2\x80\x99s notice of creditable coverage sent to Medicare Part D eligible\n      retirees for the period beginning January 1, 2006;\n\n   \xe2\x80\xa2\t reviewed Pennsylvania\xe2\x80\x99s 2006 plan year RDS application to determine whether the\n      information provided was complete, accurate, and submitted to CMS by the October 31,\n      2005, deadline and to verify that CMS had approved the application;\n\n   \xe2\x80\xa2\t selected a judgmental sample of 50 plan year 2006 retirees for whom Pennsylvania\n      reported costs and received subsidy payments;\n\n   \xe2\x80\xa2\t reviewed information from the Medicare Beneficiary Database to determine whether the\n      sampled retirees were eligible for Medicare Part D and not enrolled in a Part D\n      prescription drug plan;\n\n   \xe2\x80\xa2\t reviewed documentation provided by Pennsylvania to determine whether the sampled\n      retirees met Pennsylvania\xe2\x80\x99s criteria for retiree health coverage and were enrolled in a\n      retiree health plan approved for the RDS;\n\n   \xe2\x80\xa2\t met with Pennsylvania and vendor personnel responsible for the RDS process to obtain\n      an understanding of the application process and their procedures for submitting retiree\n      files to CMS and processing retiree response and notification files received from CMS;\n\n   \xe2\x80\xa2\t reviewed the reconciled cost report for plan year 2006 submitted by Pennsylvania\xe2\x80\x99s\n      vendor to determine the total gross drug costs submitted and the total subsidy payments\n      received by Pennsylvania;\n\n   \xe2\x80\xa2\t reviewed the contract between PEBTF and its outside vendor;\n\n   \xe2\x80\xa2\t reviewed detailed drug costs supporting the plan year 2006 final cost report to determine\n      whether Pennsylvania correctly reported gross retiree costs within each qualifying\n      covered retirees valid subsidy period; and\n\n                                             4\n\n\x0c   \xe2\x80\xa2\t identified Pennsylvania\xe2\x80\x99s secure Web site users for the plan year 2006 application and\n      determined whether the users were assigned and registered in accordance with program\n      policies.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n                           FINDINGS AND RECOMMENDATION\n\nPennsylvania\xe2\x80\x99s REHP met the requirements to be considered a qualified retiree prescription drug\nplan and Pennsylvania established controls to ensure that drug costs were correctly reported.\n\nHowever, Pennsylvania did not establish adequate administrative safeguards over retiree data.\nSpecifically, Pennsylvania did not terminate a former employee\xe2\x80\x99s access to RDS information.\nAs a result, the confidentiality, integrity, and availability of electronic protected health\ninformation could be diminished. Pennsylvania\xe2\x80\x99s lack of administrative safeguards was due to a\nlack of adequate internal controls over protected health information.\n\nPLAN SPONSOR REQUIREMENTS\n\nFederal Requirements\n\nPursuant to 42 CFR \xc2\xa7 423.884, employment-based retiree health coverage is considered to be a\nqualified retiree prescription drug plan if:\n\n   \xe2\x80\xa2\t the plan provides CMS with an attestation that the actuarial value of the retiree\n      prescription drug coverage under the plan is at least equal to the actuarial value of the\n      defined standard prescription drug benefit under Part D and\n\n   \xe2\x80\xa2\t Part D eligible individuals covered under the plan are provided with appropriate \n\n      notification regarding creditable drug coverage. \n\n\nPursuant to 42 CFR \xc2\xa7 423.884(c), the sponsor of a qualified retiree prescription drug plan must\nsubmit an application for the retiree drug subsidy to CMS each year. The application must\ninclude identifying information for the plan sponsor, an actuarial attestation, a list of qualifying\ncovered retirees and identifying information, and a sponsor agreement signed by an authorized\nrepresentative of the plan sponsor. For plan years ending in 2006, the application deadline was\nOctober 31, 2005.\n\n                                                5\n\n\x0cResults of Review of Plan Sponsor Requirements\n\nPennsylvania\xe2\x80\x99s REHP met the requirements to be considered a qualified retiree prescription drug\nplan under the RDS program. Our review of Pennsylvania\xe2\x80\x99s application shows that all\nrequirements were met on a timely basis and Pennsylvania was accepted by CMS as a sponsor of\na qualified retiree prescription drug plan eligible for subsidy payments.\n\nSAFEGUARDING RETIREE DATA\n\nData Security Requirements\n\nThe plan sponsor agreement included with the RDS application requires sponsors to establish\nand implement proper safeguards against unauthorized use and disclosure of the data exchanged\nunder the application. By signing the application, the plan sponsor certifies that its retiree group\nhealth plans have established and implemented appropriate safeguards in compliance with the\nHealth Insurance Portability and Accountability Act (HIPAA) administrative simplification,\nprivacy, and security rule (45 CFR parts 160, 162, and 164) in order to prevent unauthorized\ndisclosure of such information or data. The sponsor also agrees that if it participates in the\nadministration of the plans, then it has also established and implemented the same safeguards in\ncompliance with the above HIPAA citations.\n\n45 CFR \xc2\xa7 164.308(a)(3)(ii)(C) requires that covered entities implement procedures terminating\naccess to electronic protected health information when the employment of a workforce member\nends.\n\nResults of Review of Administrative Safeguards over Retiree Data\n\nPennsylvania had not established adequate administrative safeguards over the electronic\nprotected health information on the RDS secure Web site. Our review of secure Web site users\nassociated with Pennsylvania\xe2\x80\x99s application found that the Authorized Representative for the\n2006 and 2007 plan years had terminated employment but Pennsylvania had not revoked access\nto the secure Web site when that individual left. For the 2-month period after leaving\nemployment with Pennsylvania, this individual still had access to the RDS secure web site,\nwhich contains confidential retiree information. This lack of administrative safeguards was due\nto a lack of adequate internal controls over protected health information.\n\nEffect on Electronic Protected Health Information\n\nIndividuals who have access to sensitive retiree information and are no longer employed by\nPennsylvania diminish the confidentiality, integrity, and availability of electronic protected\nhealth information. Accordingly, during the period of our fieldwork, Pennsylvania drafted a\nsuccession plan to ensure that terminated employees would no longer have access to the RDS\nsecure Web site.\n                                               6\n\n\x0cRECOMMENDATION\n\nWe recommend that Pennsylvania follow the regulations to ensure that only eligible employees\nhave access to the RDS secure Web site.\n\nCOMMONWEALTH OF PENNSYLVANIA COMMENTS\n\nIn its comments on our draft report, Pennsylvania concurred with our recommendation and\noutlined the steps it had taken to implement our recommendation. Pennsylvania\xe2\x80\x99s comments are\nincluded in their entirety as the Appendix.\n\n\n\n\n                                            7\n\n\x0cAPPENDIX \n\n\x0c                                                                                                         APPENDIX \n\n\n\n\n\n~ ~~~~~~~~~S~RiA~ION\n           HUMAN RESOURCES AND MANAGEMENT\n                                                                lD)~ \xc2\xa9 I\xc2\xa7 O\\fl\xc2\xa7             [t\n                                                               1m!      MAY 2 1 2009         llJJ\nMay 18, 2009\n\nStephen Vlrbitsky\nRegional Inspector General\n For Audit Services\nOffice of Inspector General\nOffice of Audit Services - Region III\nPublic Ledger Building, Suite 316\n150 S. Independent Mall West\nPhiladelphia, Pennsylvania 19106-3499\n\nDear Mr. Virbitsky:\n\nThe commonwealth has received and reviewed the Office of Inspector General\'s draft report\nA-03-08-00013 entitled "Review of Retiree Drug Subsidy Plan Sponsor Commonwealth of\nPennsylvania for Plan Year Ended December 31, 2006." The commonwealth appreciates the\nopportunity to provide comments on the draft report before the final report is issued.\n\nWe concur with the Office of Inspector General\'s (OIG) recommendation that Pennsylvania\nfollow the regulations to ensure that only eligible employees have access to the RDS Secure\nWebsite. As noted by OIG in the report, as soon as the OIG identified this error, the\ncommonwealth developed and implemented proper internal controls, as well as a succession\nstrategy to ensure that only eligible employees have access to the RDS Secure Website.\n\nThe commonwealth also would like to acknowledge that throughout the audit process, the\nauditors were professional, courteous, and patient in learning the intricacies of our program\nand our relationships with various parties. It was a pleasure working with your staff.\n\nIf you need any additional information or assistance, please contact Mrs. Tara K. Long at\n(717) 787-9872.\n\n\nSincerely,\n\n_.     -     ;;?~\n\nJames A. Honchar, SPHR\nDeputy Secretary\n\n\ncc: Secretary Naomi Wyatt\n\n\n\n\n Office of Administration   I 517 Finance Building, Harrisburg, PA 17120 I 717.787.8191 I www.oa.state.pa.us\n\x0c'